Critical Vulnerability in Erlang/OTP SSH Server: CVE-2025-32433
Introduction
On April 16, 2025, a critical security advisory was published regarding a vulnerability in the Erlang/OTP SSH server. This vulnerability, designated as CVE-2025-32433, allows for unauthenticated remote code execution (RCE), posing a severe threat to systems utilizing affected versions of Erlang/OTP.
What is Erlang/OTP?
Erlang/OTP is a set of libraries and tools for the Erlang programming language, widely used in systems that require high availability and scalability, such as telecommunications and web applications, particularly within the Elixir ecosystem. The SSH server component enables secure remote access, making it a critical part of many deployments.
Vulnerability Details
The vulnerability stems from a flaw in the SSH protocol message handling, which can be exploited by attackers to execute arbitrary commands on the server without authentication. This could lead to unauthorized access, data breaches, or complete system compromise. The Common Vulnerability Scoring System (CVSS) v3 has assigned this vulnerability a score of 10/10, indicating the highest level of severity due to its potential impact and ease of exploitation.
Affected and Patched Versions
The following versions of Erlang/OTP are affected:
- OTP-27.3.2 and earlier
- OTP-26.2.5.10 and earlier
- OTP-25.3.2.19 and earlier
Patched versions that address this vulnerability are:
- OTP-27.3.3
- OTP-26.2.5.11
- OTP-25.3.2.20
Users are strongly advised to update to these patched versions immediately.
Impact
All users of the Erlang/OTP SSH server who provide SSH access are affected. Given the critical nature of the vulnerability, especially in internet-facing systems, the potential for exploitation is high.
Mitigation Strategies
- Update to Patched Versions: The primary and most effective mitigation is to update to the latest patched versions of Erlang/OTP.
- Temporary Workarounds: If immediate updating is not possible, consider disabling the SSH server or implementing firewall rules to restrict access to the SSH service.
Proof of Concept (PoC)
As of the current date, April 17, 2025, no publicly available PoC has been identified. Extensive searches across security databases, social media platforms, and research publications have not yielded any PoC for this vulnerability. Given the recent disclosure, it is likely that no PoC has been made public yet.
Credits
The vulnerability was discovered by Fabian Bäumer, Marcel Maehren, Marcus Brinkmann, and Jörg Schwenk from Ruhr University Bochum, who responsibly disclosed it to ensure timely patching.
Conclusion
This critical vulnerability in the Erlang/OTP SSH server underscores the importance of keeping software up to date and monitoring security advisories. System administrators should take immediate action to update their systems to the patched versions to prevent potential exploitation.